---
title: Sniffing network traffic
course: intro_pentest
section: Exploitation
layout: lesson
---

Another popular technique that can be used to gain access to systems is
networking sniffing. Sniffing is the process of capturing and viewing traffic as
it is passed along the network. Several popular protocols in use today still
send sensitive and important information over the network without encryption.
Network traffic sent without using encryption is often referred to as clear text
because it is human-readable and requires no deciphering. Sniffing clear text
network traffic is a trivial yet effective means of gaining access to systems.

Before we begin sniffing traffic, it’s important that you understand some basic
network information. The difference between promiscuous mode and non-promiscuous
modes will be discussed first.

By default, most network cards operate in non-promiscuous mode. Non-promiscuous
mode means that the network interface card (NIC) will only pass on the specific
traffic that is addressed to it. If the NIC receives traffic that matches its
address, the NIC will pass the traffic onto the CPU for processing.

If the NIC receives traffic that doesn’t match its address, the NIC simply
discards the packets. In many ways, a NIC in non promiscuous mode acts like a
ticket taker at a movie theater. The ticket taker stops people from entering the
theater unless they have a ticket for the specific show.

Promiscuous mode, on the other hand is used to force the NIC to accept all
packets that arrive. In promiscuous mode, all network traffic is passed onto the
CPU for processing regardless of whether it was destined for the system or not.

To successfully sniff network traffic that ain’t normally destined for your PC,
you must make sure your network card is in promiscuous mode.

You may be wondering how it is possible that network traffic would arrive at a
computer or device if the traffic was not addressed to the device. There are
several possible scenarios where this situation may arise. First, any traffic
that is broadcast on the network will be sent to all connected devices. Another
example is networks that use hubs rather than switches to route traffic.

A hub works by simply sending all the traffic it receives to all the devices
connected to its physical ports. In networks that use a hub, your NIC is
constantly disregarding packets that don’t belong to it. For example, assume we
have a small 8-port hub with 8 computers plugged into the hub. In this
environment, when the PC plugged into port number 1 wants to send a message to
the PC plugged into port number 7, the message (network traffic) is actually
delivered to all the computers plugged into the hub. However, assuming all the
computers are in non promiscuous mode, machines 2-6 simply disregard the
traffic.

Many people believe that you can fix this situation by simply swapping your hubs
with switches. This is because, unlike hubs, that broadcast all traffic to all
ports, switches are more discrete. When you first plug a computer into a switch,
the MAC address of the computer’s NIC is registered with the switch. This
information (the computer’s MAC address and switch’s port number) is then used
by the switch to intelligently route traffic for a specific machine to the
specific port. Going back to your previous example, if a switch is being used
and PC 1 sends a message to PC 7, the switch processes the network traffic and
consults the table containing the MAC address and port number. It then sends the
message to only the computer connected to port number 7. Devices 2 – 6 and 8
never receive the traffic.
